Processing of (personal) data by the entity in charge of the online application process

PERSONAL DATA PROCESSING STATEMENT REGARDING JOB APPLICATION PROCESS
General information
This personal data processing statement, which refers exclusively to personal data processed by us as part of online job application process, is to inform you about how your personal data, that is processed as part of the online application process, is handled at our end.
We are the controller:
Elcogen Oy
Niittyvillankuja 4, 01510 Vantaa, Finland
Business ID 2289594-1
contact person in personal data processing matters: alex.ciorici@elcogen.com
Personal data collected as part of the application process
Personal data means any information concerning the personal or material circumstances of an identified or identifiable individual, such as you. This includes information, for example, your name, address, telephone number, date of birth, your user name, an IP address relating to you, but also personal data relating to your specific career (etc) by reference to which a specific individual can be identified with. However, information which cannot be indirectly or directly associated with your identity is not personal data.
Fundamentals and purposes of processing personal data collected from application documents and during the application process
If you apply to us electronically, i.e. via e-mail or using our online form, we will collect and process your personal data for the purpose of executing the application process and preparing employment related contracts and informing those who were not selected.
By submitting an application via our recruitment website, you express your interest in taking up an employment position with us. In this context, you transfer personal data, which we will process exclusively for the purpose of your job application process.
The following personal data is processed during this process:

name (first and last names)
e-mail address
home address
date of birth
phone number
all your LinkedIn profile public data if you agree to share access to your LinkedIn profile (such as your education, your work experience, your place of residence, your performance of work and evaluations of the same, your skills, matters of your interest in your professional career)
channel through which you found us (such as our own website)
cookies on our website
IP addresses from which you access our website and our job application system (online form)
your user name on our job application system (online form)
Only our authorized HR staff and/or staff involved in the application process have access to your personal data.
The personal data is stored exclusively for the purposes of filling the vacancy for which you have applied and thereto related purposes stipulated in the law (such as taking care of information security).
Sources of your personal data that we use are yourself as you submit information and data to us and your LinkedIn profile upon your consent.
Your personal data will be stored for two years immediately after an applicant has been elected for the open position. This is done based on our legitimate interest defending ourselves against possible claims until the processing time has ended. After this period, we delete your personal data.
If you consent to it electronically, we reserve the right to process your personal data for 365 days after after an applicant has been elected for the open position for the purposes of adding your personal data to our talent pool in order to identify any other open vacancies that may be of interest to you. Your personal data will be retained in the talent pool until you withdraw your consent.
Your personal data will not be processed outside the EU.
For the avoidance of doubt, it is stated that processing of personal data is minimized in any case as mandatory law requires.
Disclosure of personal data to third parties

Personal data transmitted as part of your application will be transferred using TLS encryption and stored in a database. This database is technically operated by Personio GmbH, which offers a human resource and applicant management software solution (https://www.personio.com/legal-notice/). In this context, Personio is our processor under article 28 of the GDPR.
Methods how your personal data is secured
The personal data is secured by using the following methods and principles at our systems/premises and at the systems/premises of Personio:
(a) locks at any physical premises;
(b) firewall, anti-malware and spam filtering systems and other software and hardware that protect the security of communication networks;
(c) mandatorily required high quality passwords;
(d) all personal data is encrypted in transit;
(d) personal user rights that can be traced in the systems;
(e) limited number of superusers;
(f) professional knowledge of personnel;
(g) training of personnel; and
(h) written policies and guidelines relating to personal data matters.
Particularly in relation to Personio, please see their information security and privacy techniques and solutions here:
https://www.personio.com/security/#secure-software-development-lifecycle-ssdlc Personio has, for example, an external party performing audits and an audit report is available on the above web site. Personio encrypts personal data while the personal data is stored and also while the personal data is in transit in public data networks.
Rights that you have
Right of access
You have the right to obtain from us a confirmation as to whether or not personal data concerning you is being processed by us. Where such personal data is being processed by us, we shall provide you with a copy of the personal data and the legally required information. For any further copies requested by you, we may charge a reasonable fee taking into account the administrative costs.
Particularly in relation to Personio, you have direct access to your own digital file at Personio at all times.
Right to data portability
At your request, if we process personal data based on your consent or based on a contract with you:
(a) We shall provide you with the personal data which you provided to us, in a structured, commonly used and machine-readable format;
(b) At your request and if technically feasible, we shall transmit the personal data in the same format directly to another controller.
Rectification and right to lodge complaint with supervisory authority
We shall, at your request, without undue delay, correct, erase or supplement the personal data in case of erroneous, unnecessary, incomplete or obsolete personal data taking into account the purpose of the processing, including by way of supplementing a corrective statement.
If we do not take such action at your request, we shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Please note that you may bring the matter to be processed by the local supervisory authority.
You have the right to lodge complaints to the local supervisory authority. The contact details of the Finnish supervisory authority are as follows:
https://tietosuoja.fi/en/office-of-the-data-protection-ombudsman
Right to object processing
You have the right to object, on grounds relating to your particular situation, to the processing of your personal data which is based on either of the following legal basis for processing: (i) when the processing has been found necessary for the purposes of the legitimate interests of us or (ii) when the processing has been found necessary in order to protect your vital interests. You, however, do not have the right to object if we demonstrate compelling legitimate grounds for the processing which override your interests or fundamental rights and freedoms, or for the establishment, exercise or defence of legal claims.
Right to restriction of processing
‘Restriction of processing’ means the marking of the personal data with the aim of limiting its use in the future.
If you request, we must restrict the processing in the following situations:
(a) the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
(b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
(c) we no longer need the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims; or
(d) you have objected to the processing, but verification whether the legitimate grounds of us override those of you is still ongoing.
In the situations listed above, we can only process the personal data:
(a) with your consent or for the establishment, exercise or defence of legal claims;
(b) for the protection of the rights of another natural or legal person;
(c) for reasons of important public interest of the European Union or of a European Union Member State; and
(d) to store the personal data.
Right to be forgotten
You have the right to have your personal data erased at your request if one of the following grounds applies:
(a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
(b) you withdraw the consent on which the processing is based and where there is no other legal ground for the processing;
(c) you object to the processing as explained above;
(d) the personal data has been processed unlawfully; or
(e) the personal data has to be erased for compliance with a legal obligation in the European Union law or in a European Union Member State law to which we are subject.
However, we do not have to erase the personal data to the extent we still need to process the personal data:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by the European Union law or by a European Union Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us,
(c) for reasons of public interest in the area of public health in accordance with legal requirements;
(d) or for the establishment, exercise or defence of legal claims.
Automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We are not using such automated decision-making or profiling.

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.